0

I have an ASP.NET Core 3.1 application which follows domain driven architecture and it has 2 areas, one for admin and other one for customers (application users).

I want to enable authentication and authorization for each area separately. For example use Identity 4 for the customer area and cookie base authentication for admin area. But it should be done using a single database and role base authentication should not used to separate areas.

What is the best approach to follow. For example "Multiple authentication scheme", Or any other method.

Improve this question
5
  • 2
    Maybe you can use role-based authorization. Commented Feb 10, 2021 at 7:10
  • @mj1313 thank you for your reply, Yes for each area it has own roles but the requirement is to use 2 different login with different databases Commented Feb 10, 2021 at 8:08
  • 1
    @Nayanajith You can use a Multitatent Application system for the solution which you want.for that reason,admin and customer will have a separate database. both people will not access other data. Commented Feb 10, 2021 at 9:44
  • @BrettLee thank you for your response. It's not possible to use 2 databases as the requirement is to use a single database and use separate login , register for each area Commented Feb 10, 2021 at 19:04
  • Is it possible to use Cookie Authentication and Identity authentication both in a single project Commented Feb 11, 2021 at 2:22

1 Answer 1

Reset to default
1
+50

When it comes to login for admin and customer you can implement it by using acr_values (see definition in spec). Identity server can decide how to authenticate based on acr_values, for example if you provided admin_login as acr_values, then based on that Identity Server will authenticate user (use different identity provider or different database/table).

Your application needs to know whether user wants to login as customer or admin before you redirect to identity server authorize endpoint. In order to know that you will have to implement different authentication schemes in your application (one for admin and one for customer). Once you know user login type, you can add correct acr_values. Below code is not tested but it should give you an idea on how to implement it.

        services.AddAuthentication(options =>
        {
            options.DefaultScheme = "CustomerCookie";
            options.DefaultChallengeScheme = "oidc";
        })
        .AddCookie("CustomerCookie", options =>
        {
            options.Cookie.Name = "CustomerCookie";
            options.ForwardChallenge = "oidc";
        })
        .AddCookie("AdminCookie", options =>
        {
            options.Cookie.Name = "AdminCookie";
            options.ForwardChallenge = "admin-oidc";
        })
        .AddOpenIdConnect("oidc", options =>
        {
            // Configure all other options needed.

            options.SignInScheme = "CustomerCookie";
            options.CallbackPath = "/signin-oidc-customer";

            options.Events.OnRedirectToIdentityProvider = (context) =>
            {
                context.ProtocolMessage.SetParameter("acr_values", "customer_login");

                return Task.FromResult(0);
            };
        })
        .AddOpenIdConnect("admin-oidc", options =>
        {
            // Configure all other options needed.

            options.SignInScheme = "AdminCookie";
            options.CallbackPath = "/signin-oidc-admin";

            options.Events.OnRedirectToIdentityProvider = (context) =>
            {
                context.ProtocolMessage.SetParameter("acr_values", "admin_login");
                return Task.FromResult(0);
            };
        });

On identity server side you have full control on what to do based on acr_values, you can use external provider for admin.

You could use IIdentityServerInteractionService.GetAuthorizationContextAsync to retrieve acr_values and you could implement IProfileService so that once authenticated, you can decide what claims to include based on user type (admin or customer).

That would be the basic idea, hopefully it is useful.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Thank you for the detail answer and this is useful

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.